Build a sidecar container that refreshes s3 credentials #11945
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Originally I had a new top level module called fdbkubernetescredentials (beside fdbkubernetesmonitor) to host golang perpetual refresher script. It seemed a bit much just to host a simple script so moved it down under packaging/docker instead as fdb-aws-s3-credentials-fetcher. The base container is a bit fat for simple script but keeping it so for the moment at least until can show stuff is basically working. For IRSA (IAM Roles for Service Accounts) , it looks like I need to add service accounts as part of deploy but the script seems to work in EKS w/o. Lets see. |
Result of foundationdb-pr-clang-ide on Linux CentOS 7
|
Result of foundationdb-pr-macos-m1 on macOS Ventura 13.x
|
Result of foundationdb-pr-clang-arm on Linux CentOS 7
|
Result of foundationdb-pr-cluster-tests on Linux CentOS 7
|
Result of foundationdb-pr-clang on Linux CentOS 7
|
Result of foundationdb-pr-macos on macOS Ventura 13.x
|
Result of foundationdb-pr on Linux CentOS 7
|
Result of foundationdb-pr-clang-ide on Linux CentOS 7
|
Result of foundationdb-pr-macos-m1 on macOS Ventura 13.x
|
Result of foundationdb-pr-clang-arm on Linux CentOS 7
|
Result of foundationdb-pr-cluster-tests on Linux CentOS 7
|
Result of foundationdb-pr-clang on Linux CentOS 7
|
Result of foundationdb-pr-macos on macOS Ventura 13.x
|
Result of foundationdb-pr on Linux CentOS 7
|
|
|
|
Closed wrong PR. |
Result of foundationdb-pr-clang-ide on Linux CentOS 7
|
Result of foundationdb-pr-clang-arm on Linux CentOS 7
|
Result of foundationdb-pr-clang on Linux CentOS 7
|
Result of foundationdb-pr on Linux CentOS 7
|
Result of foundationdb-pr-cluster-tests on Linux CentOS 7
|
Result of foundationdb-pr-clang-ide on Linux CentOS 7
|
Result of foundationdb-pr-clang-arm on Linux CentOS 7
|
Result of foundationdb-pr-macos on macOS Ventura 13.x
|
Result of foundationdb-pr on Linux CentOS 7
|
johscheuer
reviewed
Feb 27, 2025
fdbclient/tests/aws_fixture.sh
Outdated
| else | ||
| # No go so fall back to old way of writing blob credentials. | ||
| if ! credentials=$( curl -H "X-aws-ec2-metadata-token: ${token}" \ | ||
| http://169.254.169.254/latest/meta-data/iam/security-credentials/foundationdb-dev_node_instance_role ); then |
There was a problem hiding this comment.
I don't think we want to hardcode any roles here. But I just saw that those changes are only moved around.
There was a problem hiding this comment.
Makes sense. I added reading from environment variable and if not provided, use current value as default.
| @@ -258,6 +259,7 @@ image_list=( | |||
| 'foundationdb-base' | |||
| 'foundationdb' | |||
| 'fdb-kubernetes-monitor' | |||
| 'fdb-aws-s3-credentials-fetcher-sidecar' | |||
There was a problem hiding this comment.
We probably have to do some additional changes in our release scripts, assuming we want to publish this script somewhere.
There was a problem hiding this comment.
Nod. This new image you mean? I can follow up w/ the release scripts after this goes in.
| @@ -0,0 +1,151 @@ | |||
| package main | |||
There was a problem hiding this comment.
Can we add a copyright header?
packaging/docker/fdb-aws-s3-credentials-fetcher/fdb-aws-s3-credentials-fetcher.go
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| func refreshCredentials(bucket, region, credFile string) error { | ||
| ctx := context.Background() |
There was a problem hiding this comment.
The context should actually be passed down into the method, otherwise there is no way to create a context that propagates the cancellation or the deadline.
packaging/docker/fdb-aws-s3-credentials-fetcher/fdb-aws-s3-credentials-fetcher.go
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| region := flag.String("region", defaultRegion, "AWS region for S3 endpoint (default from AWS_REGION env var)") | ||
| dir := flag.String("dir", "", "Directory path where credentials file will be stored") |
There was a problem hiding this comment.
We could use the same flag package as we use in the fdb-kubernetes-monitor package if we add this utility to the foundationdb repo: /~https://github.com/apple/foundationdb/blob/main/fdbkubernetesmonitor/main.go#L119-L140.
There was a problem hiding this comment.
Used pflag instead of flag (seems nicer)
|
|
||
| // Main credential refresh loop | ||
| log.Printf("Starting credential refresh loop") | ||
| for { |
There was a problem hiding this comment.
Another approach would be to use a ticker
| // Main credential refresh loop | ||
| log.Printf("Starting credential refresh loop") | ||
| for { | ||
| if err := refreshCredentials(*bucket, *region, credFile); err != nil { |
There was a problem hiding this comment.
I believe the AWS SDK package has some functionality to check if the tokens are expired or not, that might be a good option instead of requesting a new token every time.
There was a problem hiding this comment.
Thanks for the pointer...
There was a problem hiding this comment.
Thanks for the review.
…dentials-fetcher.go Co-authored-by: Johannes Scheuermann <johscheuer@users.noreply.github.com>
…dentials-fetcher.go Co-authored-by: Johannes Scheuermann <johscheuer@users.noreply.github.com>
Result of foundationdb-pr-clang-ide on Linux CentOS 7
|
Result of foundationdb-pr-clang-ide on Linux CentOS 7
|
Result of foundationdb-pr-macos-m1 on macOS Ventura 13.x
|
Result of foundationdb-pr-clang-arm on Linux CentOS 7
|
Result of foundationdb-pr-clang-arm on Linux CentOS 7
|
Result of foundationdb-pr-cluster-tests on Linux CentOS 7
|
Result of foundationdb-pr-macos on macOS Ventura 13.x
|
Result of foundationdb-pr-cluster-tests on Linux CentOS 7
|
Result of foundationdb-pr-clang-ide on Linux CentOS 7
|
Result of foundationdb-pr-clang-ide on Linux CentOS 7
|
Result of foundationdb-pr on Linux CentOS 7
|
Result of foundationdb-pr-clang on Linux CentOS 7
|
Result of foundationdb-pr-clang on Linux CentOS 7
|
Result of foundationdb-pr on Linux CentOS 7
|
Result of foundationdb-pr-clang-arm on Linux CentOS 7
|
Result of foundationdb-pr-clang on Linux CentOS 7
|
Result of foundationdb-pr-clang-arm on Linux CentOS 7
|
Result of foundationdb-pr-cluster-tests on Linux CentOS 7
|
Result of foundationdb-pr-clang on Linux CentOS 7
|
Result of foundationdb-pr on Linux CentOS 7
|
Result of foundationdb-pr on Linux CentOS 7
|
Result of foundationdb-pr-cluster-tests on Linux CentOS 7
|
Result of foundationdb-pr-macos on macOS Ventura 13.x
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
packaging/docker/Dockerfile
Add fdb-aws-s3-credentials-fetcher-sidecar container. Runs perpetual script that writes blob-credentials.json to /var/fdb.
packaging/docker/build-images.sh
Build and publish new sidecar container
packaging/docker/fdb-aws-s3-credentials-fetcher/README.md
packaging/docker/fdb-aws-s3-credentials-fetcher/fdb-aws-s3-credentials-fetcher.go
packaging/docker/fdb-aws-s3-credentials-fetcher/go.mod
packaging/docker/fdb-aws-s3-credentials-fetcher/go.sum
Script that fetches credentials via IRSA (IAM Roles for Service Accounts).